GHOST Vulnerability

Any ETA on a patch?
http://itsecurityguru.org/security-advisory-ghost-vulnerability-linux-systems/#.VMlUuP54ojo

1 Like

See http://issues.freepbx.org/browse/FREEPBX-8640 for an issue alerting the maintainers that CentOS 6.5 is affected in FreePBX 2.11

We are working on this. However please keep in mind that this vulnerability is extremely hard to replicate. That does not mean we are down playing it, only giving a reasoning to the delayed response in Schmooze OS.

However, closer inspection reveals that this particular vulnerability, while serious, is not easy to exploit and has a very limited attack surface.

Here is a list of potential targets that we investigated (they all call
gethostbyname, one way or another), but to the best of our knowledge,
the buffer overflow cannot be triggered in any of them:

apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
vsftpd, xinetd.

We have pushed a new glibc to our yum repositories for the 5.211.65 and 6.12.65 FreePBX track as well as the 10.12.65 PBXact track. You can update by simply running yum update glibc.

You may have to run yum clean all prior to yum update glibc.

hi, i’m still getting the hang of this linux stuff, so sorry if this is a stupid question,

i’m trying to update my system with yum -y update and i’m getting the following errors,

can anyone help me out on how i go about fixing this issue. thank you for your time and effort in advance.

[[email protected] ~]# yum -y update
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
Resolving Dependencies
–> Running transaction check
—> Package glibc.x86_64 0:2.12-1.132.el6_5.4 will be updated
—> Package glibc.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
—> Package glibc-common.x86_64 0:2.12-1.132.el6_5.4 will be updated
–> Processing Dependency: glibc-common = 2.12-1.132.el6_5.4 for package: glibc-2.12-1.132.el6_5.4.i686
—> Package glibc-common.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
—> Package glibc-devel.x86_64 0:2.12-1.132.el6_5.4 will be updated
—> Package glibc-devel.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
—> Package glibc-headers.x86_64 0:2.12-1.132.el6_5.4 will be updated
—> Package glibc-headers.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
–> Finished Dependency Resolution
Error: Package: glibc-2.12-1.132.el6_5.4.i686 (@updates)
Requires: glibc-common = 2.12-1.132.el6_5.4
Removing: glibc-common-2.12-1.132.el6_5.4.x86_64 (@updates)
glibc-common = 2.12-1.132.el6_5.4
Updated By: glibc-common-2.12-1.149.shmz65.1.1.x86_64 (pbx)
glibc-common = 2.12-1.149.shmz65.1.1
Available: glibc-common-2.12-1.132.el6.x86_64 (base)
glibc-common = 2.12-1.132.el6
Available: glibc-common-2.12-1.132.el6_5.1.x86_64 (updates)
glibc-common = 2.12-1.132.el6_5.1
Available: glibc-common-2.12-1.132.el6_5.2.x86_64 (updates)
glibc-common = 2.12-1.132.el6_5.2
Available: glibc-common-2.12-1.132.el6_5.3.x86_64 (updates)
glibc-common = 2.12-1.132.el6_5.3
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

never mind I sorted it out… thanks anyway

I’m getting the same error when trying to update glibc. What did you do to fix it? I’ve tried yum clean all to no success.

Same issue here, but so far nobody seems to of offered up a way to correct this. Not sure why this happened to some installs, but not others. Still it would be nice to correct, and load the updated libs…

What version of the Distro are you using that this is failing on?

It looks like we’re on 5.211.65-16 at present. I see from your releases page that we’re a few minor versions behind. I’ll see if we can schedule in downtime to update to the latest minor version and then retry the glibc update.

Whoops, I didn’t see this for a bit, but if you were by chance asking me. The system in question is FreePBX Distro, that started life as a 5.x release, but is currently at 6.12.65-24 at this time. I have run all the latest distro update scripts, but of course they fail on this part of the yum updates.

I have waited days and run yum clean all multiple times, but still always the same result…